The Bulgarian And Soviet Virus Factories Essays - Computer Viruses

The Bulgarian and Soviet Virus Factories The Bulgarian and Soviet Virus Factories ======================================== Vesselin Bontchev, Director Laboratory of Computer Virology Bulgarian Academy of Sciences, Sofia, Bulgaria 0) Abstract =========== It is now well known that Bulgaria is leader in computer virus production and the USSR is following closely. This paper tries to answer the main questions: Who makes viruses there, What viruses are made, and Why this is done. It also underlines the impact of this process on the West, as well as on the national software industry. 1) How the story began ====================== Just three years ago there were no computer viruses in Bulgaria. After all, these were things that can happen only in the capitalist countries. They were first mentioned in the April issue of the Bulgarian computer magazine "Komputar za vas" ("Computer for you") [KV88] in a paper, translated from the German magazine "Chip" [Chip]. Soon after that, the same Bulgarian magazine published an article [KV89]], explaining why computer viruses cannot be dangerous. The arguments presented were, in general, correct, but the author had completely missed the fact that the majority of PC users are not experienced programmers. A few months later, in the fall of the same year, two men came in the editor's office of the magazine and claimed that they have found a computer virus. Careful examination showed that it was the VIENNA virus. At that time the computer virus was a completely new idea for us. To make a computer program, whose performance resembles a live being, is able to replicate and to move from computer to computer even against the will of the user, seemed extremely exciting. The fact that "it can be done" and that even "it had been done" spread in our country like wildfire. Soon hackers obtained a copy of the virus and began to hack it. It was noticed that the program contains no "black magic" and that it was even quite sloppily written. Soon new, home--made and improved versions appeared. Some of them were produced just by assembling the disassembly of the virus using a better optimizing assembler. Some were optimized by hand. As a result, now there are several versions of this virus, that were created in Bulgaria --- versions with infective lengths of 627, 623, 622, 435, 367, 353 and even 348 bytes. The virus has been made almost two times shorter (its original infective length is 648 bytes) without any loss of functionality. This virus was the first case. Soon after that, we were "visited" by the CASCADE and the PING PONG viruses. The later was the first boot--sector virus and proved that this special area, present on every diskette can be used as a virus carrier, too. All these three viruses were probably imported with illegal copies of pirated programs. 2) Who, What & Why. =================== 2.1) The first Bulgarian virus. ------------------------------- At that time both known viruses that infected files ( VIENNA and CASCADE) infected only COM files. This made me believe that the infection of EXE files was much more difficult. Unfortunately, I made the mistake by telling my opinion to a friend of mine. Let's call him "V.B." for privacy reasons.(1) ................................................................... [(1) These are the initials of his true name. It will be the same with the other virus writers that I shall mention. Please note, that while I have the same initials (and even his full name resembles mine), we are two different persons.] ................................................................... The challenge was taken immediately and soon after that I received a simple virus that was able to infect only EXE files. It is now known to the world under the name of OLD YANKEE. The reason for this is that when the virus infects a new file, it plays the "Yankee Doodle" melody. The virus itself was quite trivial. Its only feature was its ability to infect EXE files. The author of this virus even distributed its source code (or, more exactly, the source code of the program that releases it). Nevertheless, the virus did not spread very widely and even had not been modified a lot. Only a few sites reported to be infected by it. Probably the reason for this was the fact, that the virus was non--resident and that it infected files only on the current drive. So the only possibility to get infected by it was to copy an infected file from one computer to another. When the puzzle of creating a virus which is able to infect EXE files was solved, V.B. lost his interest in this field and didn't write any other viruses. As far as I know, he currently works in real--time signal processing. 2.2)